HTTPS is secured or not

Why HTTPS & SSL are not secured? Explained!!

If you have been in the IT & Computer industry for long enough, you will see many people advising website owners to use HTTPS as it will help keep website secured from certain attacks. However, this advice has let one beautiful myth spread across all the world believing that having HTTPS on your website means that the website is secured.

However, the truth is its not like that. Allow me to explain this clearly. See HTTPS will secure you from the so called “Script kiddies” from eavesdropping what you surf and on on top of it, it will even transfer your data over a secure layer. But that’s where the job of HTTPS ends. Real guys (Expert Hackers) will find other means to exploit your website, for them it doesn’t matter if the website is on the HTTPS connection or not. They might bypass HTTPS or find another way…

Hence, in this article we are going to discuss everything about HTTPS and its benefits, drawback and some major flaws and many more things.

What is HTTPS & SSL & TLS?

HTTPS stands for Hyper text transfer protocol secure, it is the more secure version of HTTP which stands for Hypertext transfer protocol. HTTPS encrypts the connection between user and website and it uses one of the two protocols to do that job.

The first is SSL protocol which stands for “Secure socket layer” and the other one is TLS protocol which stands for “Transport layer security”. Both the protocol uses “Asymmetric” public key infrastructure i.e PKI to encrypt the connection, with the use of public key and private key.

Anything that is encrypted with the public key can be unlocked with a private key and vice a versa. The private key is usually kept protected and is only accessible to the owner and on the other hand public key is meant to be distributed to anyone who needs to decrypt the connection which is encrypted with private key.

The mechanism of HTTPS Explained

Now that you get the gist of what is HTTPS, let us see how it works. Now as mentioned above HTTPS has SSL and TLS protocol and one of them is used to encrypt the communication. To understand the mechanism, first we will see what these two protocols means and what their job is.

SSL or Secure Socket Layer

SSL stands for secure socket layer as mentioned earlier, it encrypts the connection between the browser and the website. Its a standard security protocols for establishing the encrypted links. And it makes sure the data which is transferred is encrypted.

For establishing encrypted links an SSL Web certificate is required. SSL certificate on the other hand is nothing but a digital certificate with a digital signature on it which verifies the website for who they say they are. In short SSL certificate acts like an identity card of your website.

SSL - Secure Socket Layer
SSL – Secure Socket Layer

So when your website tries to connect with your browser, your browser will ask for the papers or something, that will prove the browser your identity, then the website will send the SSL certificate to the browser and then the browser will verify and allow your website to connect.

TLS or Transport Security Layer

TLS stands for transport security layer as mentioned earlier, it is also known as successor to secure socket layer i.e SSL. TLS is used for sending emails, it also use for other types of data transfers. What TLS protocol does is, that it allows client and server to negotiate with each other, during that negotiation, client and server authenticate with each other, where even the cryptographic keys are authenticated and then the data is exchanged.

TLS - Transport Layer Security
TLS – Transport Layer Security

In the mutual authentication, only the server side is authenticated while on the other hand the client remains unauthenticated. Just like SSL the private key remains protected and the public key is deployed to the client in order to decrypt, thus by maintaining the privacy of the connection and overall ensuring no one eavesdrop the communication between the client and the server.

So what did we understood from the long explanation?

HTTPS does encrypts your communication and the data that is transferred from one end to other end over the web. However, it is also a way for website to verify its identity with various browsers. Especially chrome, which forces users to install HTTPS connection on their website by labeling them as not secure. And so in the end they leave you with no choice but to install an HTTPS connection on your website that has an SSL certificate (that you paid for).

So why Google is forcing everyone to install a secure connection on their website?. Google is using HTTPS as a ranking factor in their ranking algorithm to rank websites. In short website which has HTTPS connection installed on them will rank higher and faster than those with HTTP connection. Also, since they’ve started labeling “Non-HTTPS” websites as “Not safe to browse” or “Not secure”, is of course one of the main reason why people are believing that website with HTTPS connection are the safest websites to browse.

However reality is something else which confirms that there are drawbacks to HTTPS too! So let us discuss about that.

Difference between Paid & Free SSL, Small drawbacks & Role of Certificate Authority

First drawback that is a common one and comes in mind instantly, which is the cost of the SSL certificates and the time limit, not only the SSL certificates are costly but they also have year long validity. Small websites who don’t have enough capital to buy these costly secured certificates often opt for the ones that are given away for free.

The time limit provided to the free certificates is limited from 30-90 days while the paid one has a year long validity but since the free ones requires no money so website owners can renew it as long as they want. Though the encryption offered by the free certificates are on the same level as paid ones.

Paid certificates comes with warranty and customer support which covers everything when the injury is caused to the website and the one that is responsible for this is a “Certificate Authority” whose job is to give a valid signed SSL certificate that is issued to your website. Free certificates doesn’t have any certificate authority that you can trust nor does it provides any warranty or customer support in case your website is breached.

Lets Encrypt Free SSL
Lets Encrypt Free SSL

Before the paid certificates are issued, the company that provides these paid certificates also verifies the website owners and their business. The company which provides free certificates doesn’t opt for business and website verification.  Also, Free certificates only provide domain validation while Paid certificates comes with multiple offers which is just explained above.

However, you might be wondering why did i explained the difference between free and paid SSL certificates if we’re going to see the drawbacks of the HTTPS. Because there was one thing that i needed make sure that those who read this post understand and that thing is the “Role of Certificate Authority”.

As i mentioned earlier the role of the certificate authority is to issue a valid signed SSL certificates, however they also issue “Root certificates” (with digital signature same as they do with SSL certificate) now these root certificates can be also issued to browser makers such as Google Chrome, Firefox, Opera, so they can include that Root certificate in the web browser, this so that the when a browser receives a SSL certificate with the help of root certificate the are able to validate website’s identity.

Now since the valid signed SSL certificate is issued to a verified owner their certificate will contain information like :-

  • Domain or Website URL
  • Site owner information or Company name
  • The location of the website & company (Country, state and so on…)
  • The period of validity

Hence once that data is verified, the hash of the data is generated, the hash in return also acts as a digital signature for the certificate.

With that, one thing gets clear, that these certificates are like a long chain. In short a valid signed SSL certificated is validated and confirmed using a Root Certificate issued by a Certified authority and these Root certificates are yet validated by another higher authority certificate.

The Hash Collision

In 2008 a group security researchers explained, how they were able to forge a fake SSL certificate which had MD5 hashing algorithm, using a collision based attack. These security researchers carefully bought a valid signed SSL certificate from  “Rapid SSL” however, they created their own fake “Root certificate” in such a way that the hash was identical to the hash of the valid signed certificate which they just bought. Even though the hashes were identical, they were generated from different data and that is known as “Hash collision”.

If it sounds more complicated then allow me to break down this hash collision with a simple example.

Let’s say you’re on a trip with your friend circle which comprises of Group A and Group B, you book two separate rooms in a hotel i.e One for Group A and the other for Group B. But there is a catch, both the rooms has same “Room no.” but the color of the plate of that Room no. is different and the person who handed you the keys forgot tell you which room is for Group B and which one is for Group A hence as a result your group may get confused.

Google's successful SHA-1 Collision achieved
Google’s successful SHA-1 Collision achieved

That’s what happening in the “hash collision attack” where the room number (the hash) is identical, but, the colors of that room number plate (data) is different. The group of researchers brought the valid SSL certificate from Rapid SSL and since the hash was the same as their fake Root certificate, their fake certificate became valid. For this they used the weakness of MD5 hashing algorithm which allows construction of different messages with the same hash.

With this we reach one conclusion, that also means that if it is possible to forge a fake root certificate with a valid hash, it will allow us to create a valid signed SSL certificate that has no hashing algorithm, for any website in the world. This assumption alone has enough power to make HTTPS and SSL certificates unreliable.

But you may question that since the researchers used the weakness in the MD5 hashing algorithm, well doesn’t it become possible prevent the forging of certificates by using a better hashing algorithm like SHA-128 or SHA-256?

Well its a valid question but unfortunately the answer can’t be decided yet, that’s because Google was able to achieve SHA-1 or SHA-128 hash collision on February 23, 2017 and its not long that someone will even bypass and achieve hash-collision from the SHA-256 hashing algorithm, because there is no such thing as perfect security in the world and on the internet and i don’t think that will ever be the case in the future.

SHA-256 is the latest and the strongest hashing algorithm, but if someone is able to achieve a hash collision and doesn’t reveal it to the world then the entire HTTPS & SSL system will come crashing down. So if HTTPS & SSL are made to withstand hash collision then we can consider them as secure, simply improving the hashing algorithm is not going to cover up the weakness that already exist.

What it may lead to?

If someone is able to create a perfectly valid SSL then this may lead to man in the middle attack which are on whole another level and on the other hand you may not have a clue what is happening behind the scenes. So we will take one scenario of man in the middle attack to see how critical the situation is.

  • You are exchanging mails using your company’s email and your company’s website is over HTTPS.
  • The attacker diverts your request to his fake server which has fake certificate with a valid hash/sign.
  • Your browser which is the client thinks everything is OK and then connects to his fake server.
  • Now your emails are travelling through attacker’s server.
  • Which are then decrypted, recorded & manipulated and then transfer to company’s real server with actual valid SSL certificate.

This is how the critical the situation is. Originally the PKI or Public key infrastructure was made to stop such attacks, however, just like how they did with MD5 SSL attack and how Google was able to bypass SHA-128 and achieve hash-collision, if someone is able to bypass SHA-256 then this PKI would be of no use just like during the times of MD5 Hashing algorithm & SHA-128 Hashing algorithm.

Wrapping up

We hope this clears up the misconception that – SSL and HTTPS is only a way to validate the website’s identity and not a way to confirm that, if a particular website is safe to browse or not. SSL is useful because it gives trust and compliance to users and visitors of website and is one of the major SEO ranking factor for Google. But website owners must understand that it is nothing but a security measure which can be bypassed if well researched.

If you have any views or questions you can post it down in the comment section below, we will try to answer your question to the best of our abilities.

Note : If you’re interested you can also check out how Big data is affecting and destroying privacy!!